Back to Docs

Login & Authentication

Learn how to sign in to MerDoc using passwordless authentication and magic links.

Passwordless Login

MerDoc uses a secure passwordless authentication system. Instead of remembering passwords, you simply enter your email address and receive a magic link to sign in. This approach is more secure, convenient, and eliminates the need to manage passwords.

How to Sign In

Signing in to MerDoc is a simple, two-step process:

  1. Navigate to the login page
  2. Enter your email address
  3. Click "Send Magic Link"
  4. Check your email inbox for the magic link
  5. Click the link in the email to sign in
Email Delivery

Magic links are sent via email and typically arrive within seconds. If you don't see the email, check your spam or junk folder.

How Magic Links Work

Magic links are secure, time-limited authentication tokens that allow you to sign in without a password. Here's how the process works behind the scenes:

1

Request a Magic Link

When you enter your email address and click "Send Magic Link", MerDoc generates a unique, secure token (32 characters) that's cryptographically random.

2

Token Storage

The token is stored securely in the database with an expiration time of 15 minutes. The token is associated with your email address and can only be used once.

3

Email Delivery

An email containing the magic link is sent to your email address. The link includes the secure token as a parameter: /verify?token=...

4

Link Verification

When you click the magic link, MerDoc verifies the token by checking:

  • The token exists in the database
  • The token hasn't expired (15-minute window)
  • The token hasn't been used before
5

Account Creation or Sign In

If the token is valid:

  • If you're an existing user, you're signed in immediately
  • If you're new, a MerDoc account is automatically created for you
  • A secure session is established using HTTP-only cookies
6

Token Invalidation

After successful verification, the token is marked as used and can never be used again, ensuring security even if the link is intercepted.

Security Features

Single-Use Tokens

Each magic link can only be used once. After clicking it, the token is invalidated, preventing replay attacks.

Time-Limited

Magic links expire after 15 minutes. This limits the window of opportunity for unauthorized access if a link is intercepted.

Cryptographically Secure

Tokens are generated using secure random number generation (nanoid), making them impossible to guess or predict.

Email Verification

Since magic links are sent to your email, you must have access to your email account to sign in, adding an extra layer of security.

Benefits of Passwordless Authentication

  • No Password Management: You don't need to remember or manage passwords, reducing the risk of weak or reused passwords.
  • Enhanced Security: Eliminates password-related vulnerabilities like brute force attacks, credential stuffing, and password leaks.
  • Better User Experience: Faster sign-in process - just enter your email and click a link.
  • Automatic Account Creation: New users are automatically created when they first use a magic link, streamlining onboarding.
  • Email-Based Recovery: If you lose access, you can simply request a new magic link to your email address.

Troubleshooting

I didn't receive the magic link email

  • Check your spam or junk mail folder
  • Verify you entered the correct email address
  • Wait a few moments - emails can sometimes be delayed
  • Click "Send another magic link" to request a new one

The magic link expired

Magic links expire after 15 minutes for security reasons. Simply request a new magic link by entering your email address again on the login page.

The magic link says it's invalid

  • The link may have already been used (magic links are single-use)
  • The link may have expired (15-minute limit)
  • Request a new magic link from the login page

I'm already signed in

If you're already signed in, you'll be automatically redirected to your documents page when you visit the login page.